Deloitte 2008 survey reveals growing information security risk
The global economic crisis hitting the financial services sector is also fuelling a growing information security risk. According to the latest Deloitte Touche Tohmatsu Global Financial Services Industry, Security Survey 2008, security attacks that...
The global economic crisis hitting the financial services sector is also fuelling a growing information security risk. According to the latest Deloitte Touche Tohmatsu Global Financial Services Industry, Security Survey 2008, security attacks that exploit human error and breaches caused by distracted or disgruntled employees are likely to be the root cause of information security failures in coming months.
The majority (86 per cent) of respondents to DTT's sixth annual Global Security Survey confirm that human error is the leading cause of information systems failure. This finding recognises that, while people are an organisation's greatest asset, they are also its weakest link, particularly in difficult economic times when job insecurity and increased stress levels may lead employees to behave in atypical ways.
The Deloitte GFSI survey, based on interviews with senior security officers from the world's top 100 global financial institutions, is seen by many as a global benchmark for the state of IT security and privacy in the financial sector.
While both internal and external security breaches at financial institutions worldwide have fallen over the past 12 months, employee misconduct is a growing concern for these organisations. More than a third (36 per cent) of respondents expressed concern about insiders' misconduct, compared to only 13 per cent who are concerned about external exploits. Furthermore, six in ten (58 per cent) of survey participants feel "not very"/ "only somewhat" confident in their ability to protect their organisation from internal cyber-attacks.
The growing popularity of social networks and the proliferation of mobile media such as USB keys, MP3 players and PDAs all cause an extra load on internal and external security. Interestingly, more than half of financial institutions surveyed now restrict the use of social networks and instant messaging (53 per cent and 58 per cent respectively), yet 90 per cent allow employees to use mobile devices.
"Mobile devices almost certainly contribute to greater productivity. However, they also present opportunities for unauthorised download and storage of confidential information in a potentially unprotected medium - an ideal environment for data leakage or data loss. It is alarming to observe that only 55 per cent of the financial services organisations surveyed have fully deployed encryption within their organisations. Less than a third (28 per cent) have data 'at rest' encryption or information leakage and insider threat detection tools deployed. The good news is that 32 per cent of respondents plan to deploy insider threat detection tools over the coming 12 months," the survey says.
"Financial institutions are facing a battle on two fronts in their efforts to protect consumers' personal information," said Adel Melek, DTT leader, Enterprise Risk Services, Global Financial Services Industry. "On one front is the growing sophistication of attacks and the magnitude and frequency of data losses and breaches of customer information. On the other front is the growing regulatory expectations in a challenging economic environment and the massive layoffs that result in a distracted or insecure workforce and disgruntled former employees. In this economic climate, it is vital that financial institutions become extra vigilant in protecting their data, and implementing checks and measures to reduce the potential for, and impact of, security failures."
Steve Cachia, head of Deloitte Malta's Enterprise Risk Services, told The Times Business: "By cutting IT budgets and reducing their spending on security, companies make themselves more susceptible to many risks. There has never been a more important time for financial institutions to maintain their investment and focus on security."
The pressure financial institutions are now facing to reduce costs also adds to the heightened information security threat. While 60 per cent of respondents confirmed that their information security budgets have increased, these increases do not keep pace with the current security challenges and needs. More than half (56 per cent) of respondents say that budgetary constraints and/or lack of resources are the leading barriers to ensuring information security, while "lack of resources" (33 per cent) is identified as the leading cause of information security projects failure. Additionally, an increasing number of respondents (15 per cent vs. 13 per cent in 2007) acknowledge that expenditure on information security is falling behind.
"As the financial crisis continues to bite deep, organisations may look to save money by cutting IT budgets and reducing spending on security infrastructure," said Mr Melek. "But as tempting as this may be, now is not the time to cut security protection costs. If the guard is lowered, there will be people waiting to exploit any weaknesses resulting from such 'cost-saving' measures. Now, more than ever, financial institutions should maintain their investment in, and focus on, security."
The majority (86 per cent) of respondents to DTT's sixth annual Global Security Survey confirm that human error is the leading cause of information systems failure. This finding recognises that, while people are an organisation's greatest asset, they are also its weakest link, particularly in difficult economic times when job insecurity and increased stress levels may lead employees to behave in atypical ways.
The Deloitte GFSI survey, based on interviews with senior security officers from the world's top 100 global financial institutions, is seen by many as a global benchmark for the state of IT security and privacy in the financial sector.
While both internal and external security breaches at financial institutions worldwide have fallen over the past 12 months, employee misconduct is a growing concern for these organisations. More than a third (36 per cent) of respondents expressed concern about insiders' misconduct, compared to only 13 per cent who are concerned about external exploits. Furthermore, six in ten (58 per cent) of survey participants feel "not very"/ "only somewhat" confident in their ability to protect their organisation from internal cyber-attacks.
The growing popularity of social networks and the proliferation of mobile media such as USB keys, MP3 players and PDAs all cause an extra load on internal and external security. Interestingly, more than half of financial institutions surveyed now restrict the use of social networks and instant messaging (53 per cent and 58 per cent respectively), yet 90 per cent allow employees to use mobile devices.
"Mobile devices almost certainly contribute to greater productivity. However, they also present opportunities for unauthorised download and storage of confidential information in a potentially unprotected medium - an ideal environment for data leakage or data loss. It is alarming to observe that only 55 per cent of the financial services organisations surveyed have fully deployed encryption within their organisations. Less than a third (28 per cent) have data 'at rest' encryption or information leakage and insider threat detection tools deployed. The good news is that 32 per cent of respondents plan to deploy insider threat detection tools over the coming 12 months," the survey says.
"Financial institutions are facing a battle on two fronts in their efforts to protect consumers' personal information," said Adel Melek, DTT leader, Enterprise Risk Services, Global Financial Services Industry. "On one front is the growing sophistication of attacks and the magnitude and frequency of data losses and breaches of customer information. On the other front is the growing regulatory expectations in a challenging economic environment and the massive layoffs that result in a distracted or insecure workforce and disgruntled former employees. In this economic climate, it is vital that financial institutions become extra vigilant in protecting their data, and implementing checks and measures to reduce the potential for, and impact of, security failures."
Steve Cachia, head of Deloitte Malta's Enterprise Risk Services, told The Times Business: "By cutting IT budgets and reducing their spending on security, companies make themselves more susceptible to many risks. There has never been a more important time for financial institutions to maintain their investment and focus on security."
The pressure financial institutions are now facing to reduce costs also adds to the heightened information security threat. While 60 per cent of respondents confirmed that their information security budgets have increased, these increases do not keep pace with the current security challenges and needs. More than half (56 per cent) of respondents say that budgetary constraints and/or lack of resources are the leading barriers to ensuring information security, while "lack of resources" (33 per cent) is identified as the leading cause of information security projects failure. Additionally, an increasing number of respondents (15 per cent vs. 13 per cent in 2007) acknowledge that expenditure on information security is falling behind.
"As the financial crisis continues to bite deep, organisations may look to save money by cutting IT budgets and reducing spending on security infrastructure," said Mr Melek. "But as tempting as this may be, now is not the time to cut security protection costs. If the guard is lowered, there will be people waiting to exploit any weaknesses resulting from such 'cost-saving' measures. Now, more than ever, financial institutions should maintain their investment in, and focus on, security."